Process Explorer 16.0 Adds VirusTotal Integration

Process Explorer 16.0 Adds VirusTotal Integration

Author Mark Russinovich just dropped version 16.0 of Sysinternals procexp, an indispensable utility that displays a tree view of every process on a Windows system along with its resource consumption. Procexp’s visual representation of the activity on a system is so useful for performance tuning that I not only keep an instance in my toolkit, but also place one right smack on the desktop of pretty much every machine I’m responsible for. Version 16.0 is a big feature update boasting newly added integration with cloud antivirus service VirusTotal.

How it works

VirusTotal, for its part, is an aggregator of something like 50 different companies’ antivirus detection engines, from small to large, which then repackages the sum total of these detection services back to the world as a convenient and free web service. VirusTotal has been a factor in the industry since 2007 and was assimilated by Google becoming an independent subsidiary in 2012.

VirusTotal does detection and detection only. The results of the 50-some-odd scan engines are intended to present a comparative view of the whole detection coverage universe, in a far more informative and comprehensive fashion than scanning with one antivirus alone. They do accept straight uploads, however, once a file has been seen its hash or unique fingerprint is recognized by VirusTotal’s servers, and thereafter only the hash is necessary to render the results report for that file. A public API allows programmatic hash querying. This is the API that procexp now calls.

When you toggle on the new feature, procexp transacts with VirusTotal’s web service, querying the hashes of all running process images and reporting the results as e.g. “0/50” in a new column appearing in its main view, where the first quantity signifies the number of scan engines with positive detections. The detection count hyperlinks to the VirusTotal report page for the file, and anywhere the count is greater than zero, it appears in red.

This new capability in procexp is compelling for those who, like myself, routinely encounter severely impaired Windows systems and have had to rely on separate tools for the diagnosis of process load issues versus the diagnosis of malware infections. The underlying cause of degraded performance is not necessarily immediately apparent from the outset. You can find yourself running time consuming scans just to eliminate certain pathologies, and often few things will run normally at all.

Procexp runs the hashes of all process images through VirusTotal and, within seconds, lights up like a Christmas tree showing you where you have a possible infector (and where you don’t). It won’t find nearly as much as a full scan with something like Spybot, and isn’t intended to. Rather, this is a way to assess the infection state of a system in three seconds instead of the fifteen minutes plus a comprehensive scan might take. Certainly it should save a lot of time that would have been spent looking at an entry in procexp’s process tree and wondering, “what is that and do I trust it?”

Shortcoming: You must be online for the VirusTotal query to work, obviously. And very often in the kind of situation I described, that’s a problem. Them’s the breaks in the “cloud”.